CLOUDFLARE 


Browser Isolation: Built-in Zero Trust for the Internet 


Cloudflare Browser Isolation secures data in-use from untrusted users and devices, and 
protects devices and users from ransomware and phishing — even zero-day attacks. 


Large attack surface, limited controls 
Today, the web browser is the most 
widely used corporate application — 
representing a large attack surface. 


Yet historically, protecting users from 
browser-based threats has been 
imperfect. And applying controls to 
safeguard how users interact with 
sensitive has been even harder. 


Not your average remote browser 


-ompatibilit 
Works natively on any 
webpage, in any browser 


Performance 
Delivers a low latency 
stream of the webpage 


Built on Cloudflare 

Our browser isolation is built from the 
ground up with our other Zero Trust 
services on our network and designed to 
run across our 250+ locations. 


Web browsing sessions are served as 
close to users as possible, ensuring a 
lightning-fast experience. 


Perfecting Zero Trust 

Applying Zero Trust to browsing means 
that no code or interactions should be 
trusted to run on devices by default. 


Cloudflare Browser Isolation runs all code 
at our edge — insulating users from 
untrusted web content and protecting 
data in browser interactions from 
untrusted users and devices. 
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Natively integrated 

Unlike other providers, Cloudflare has 
natively-integrated browser isolation with 
all our Zero Trust services. 


Use a single management interface for: 

e Secure web gateway (SWG) 
Zero trust network access (ZTNA) 
Cloud access security broker (CASB) 
Cloud email security (on roadmap) 


e 
e 
e 
e and more 
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Reduce attack surface 
Zero Trust browsing stops 
malicious code on 
uncategorized, risky, or 
even low-risk sites from 
infecting users’ devices. 
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Simplify deployment 

Set Zero Trust browsing 
policies in the same place 
where you manage 
application access. 


Protect data 

Stop data loss and phishing 
by controlling user actions 
(keyboard input, copy, print, 
up/download) within apps 
or risky sites. 
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Threat protection 


Minimize your attack surface without compromising user experience 


Challenge: 

No IT team can keep every browser patched against known 
vulnerabilities. Plus, the reality is that filters and inspections 
will never prevent or detect 100% of threats even with the 
best intel. Blocking every site is also not the answer: 
excessive restrictions could cause more damage in lost 


Solution: 

Our Browser Isolation runs a headless version of the 
Chromium browser, which renders all browser code at our 
edge, instead of on your endpoints, to mitigate known and 
unknown threats like malware. The low-latency experience 
is invisible to end users and feels like a local browser. 


user productivity. 


How it works 
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Key use cases 


Ransomware 


Isolation is a stalwart first line of 
defense against ransomware 
infection for while browsing. 


But even for non-isolated sites, 
native integrations with our SWG and 
ZTNA services mitigate risk. 


Use our SWG to block risky sites and 
domains, and use our ZTNA to 
prevent harm from spreading 
laterally across your network. 


Untrusted 
code = 


Phishing and email security 


According to CISA, over 90% of 
successful cyber attacks start with a 
phishing email. Isolation not only 
stops harmful code from executing 
locally, but also can stop submission 
of sensitive personal information via 
keyboard input controls. 


Plus, in the future, with a single click, 
admins will be able to activate email 
filtering capabilities - powered by 
Area 1. 
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Deployment with a device client 
Send user traffic from devices to 
Cloudflare’s global network for 

full L4-7 filtering and inspection. 


Clientless deployment 

Send users to an isolated 
hyperlink without exposing their 
public IP or device to potential 
malicious code on the site. 


Zero-day attacks 


Isolation protects devices from 
zero-day threats by executing all 
code far away from the endpoint. 


When a patch is available for the 
zero-day vulnerability, Cloudflare 
automatically deploys the patch to all 
remote browsers on our network. 
This means admins do not need to 
interrupt users from their work to 
force updates. 
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Data protection 


Secure data in use within web browsers 


Challenge: 

The rise of SaaS software has made the web browser the 
primary way users access data. But traditionally, admins 
have had limited controls over how data once delivered to 
the browser. Users typically can copy, paste, or print 
sensitive data or PII into other websites, apps, or locations. 
These common actions increase the risk of a data breach. 


How it works 


A PANG 


Solution: 

Running an isolated browser restores control to admins to 
protect sensitive data on any website or SaaS application. 
With just a few clicks, admins can build granular rules 
preventing risky user actions within the browser. This 
includes restricting download, upload, copy-paste, 
keyboard input, and printing functionalities. 
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Key use cases 


Secure contractor access 


Cloudflare can isolate connections to 
specific hyperlinks — without 
installing any software on user 
devices. 


This clientless web isolation model 
enables admins to protect data that 
contractors and other users on 
unmanaged devices interact with — 
all without added configuration 
overhead. 


Sensitive 
data 


Any web-, SSH-, or 
VNC-based app 


Control input on suspicious sites 


Cloudflare’s network intelligence 
tracks higher risk Internet properties 
such as ‘Typosquatting’ and ‘New 
Domains’ that are often used for 
phishing attacks. 


Admins can protect teams by 
isolating these high-risk websites by 
serving the website in read-only 
mode and disable file uploads, 
downloads and keyboard input. 
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Deployment witha device client 
Gain full visibility and create 
device posture aware policies 
over how users on managed 
devices interact with data. 


Clientless deployment 

Isolate apps with sensitive data 
(like a CRM) that users on 
unmanaged devices are most 
likely to access regularly. 


Integrate with third-party solutions 


We recognize that organizations may 
need a gradual transition from their 
legacy solutions. 


With our clientless deployment, 
admins can integrate Cloudflare with 
their existing web or email gateways. 
They can then send high-risk clicks 
to our remote browser, where a 
custom block page or other data 
protections can be applied. 


REV: PMM-2022APR 


The Cloudflare difference 


Browser Isolation: Fundamental to Zero Trust 


Isolation is a core Zero Trust principle. Extending visibility and controls into the 
browser is as easy as a few clicks with Cloudflare’s Zero Trust platform. 
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Local vs. remote 
browsing 


Local browsing 

Untrusted web page code and 
phishing sites execute locally on the 
endpoint device. Users can freely 
input sensitive data into phishing 
websites and their devices and data 
are directly exposed to unpatched or 
zero-day threats. 


Remote browsing 

Unfiltered code or sites can be 
executed in a continuously patched 
remote browser. User interaction is 
controlled to prevent malware and 
phishing attacks and zero-day attacks 
are cordoned from the end-user’s 
device. 


*Join our DLP waitlist 


Cloudflare’s 
approach 


Network Vector Rendering (NVR) 
Unlike bandwidth-heavy pixel 
pushing or fragile content-disarm 
and reconstruction techniques, NVR 
streams safe draw commands to 
the device without transmitting any 
malicious web page code or 
impacting the end user experience. 


Our global network 

Other providers host remote 
browsers in public cloud providers. 
Cloudflare positions browsers 
closer to your users for an 
experience that feels no different 
than local browsing, anywhere. 
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Isolation made approachable 
Historically, browser isolation 
existed as a standalone solution 
that only large enterprises could 
justify purchasing because of 
high cost and complexity. 


With Cloudflare, native 
integrations with ZTNA, SWG, 
and other SSE services make it 
easy to begin your security 
modernization journey where it 
makes sense before extending 
Zero Trust further with browser 
isolation. 


Key features 


e Execute all browser code in 
the cloud far from users 


e No pixel pushing 


e Lightning-fast network 
(<50ms away from 95% of 
Internet users globally) 


e Compatibility with all 
browsers 


e Deploy with or without a 
device client 


e Stop data from leaving 
corporate apps and gain 
Shadow IT visibility 


e Block threats with 
intelligence from our network 
firewall and Zero Trust rules 


e 100% uptime SLA 
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